Pages

Friday, October 18, 2013

ICS-CERT Publishes DNP3 Summary Advisory

Today the DHS ICS-CERT took the unusual step of issuing an
advisory very briefly summarizing the information that had already been
summarized in 9 earlier DNP3 system advisories based upon the work of Adam
Crain and Chris Sistrunk. I have addressed the individual advisories here in
this blog.

What has undoubtedly driven this unusual publication is the
recent discussion about the very real potential consequences of the vulnerabilities
that have been taking place over the last couple of days in various
cybersecurity venues on the internet. A good
example can be found at DigitalBond.com where Dale Peterson describes how
easily these vulnerabilities could be used to shut down much of the electrical
distribution system in the US.

ICS-CERT does not acknowledge these discussions as the
reason for the issuance of this advisory. In fact, they completely ignore the
scope of the problem that is being discussed quite widely in the control system
security community. If one were to read just this advisory, it would seem that
this is just the common, garden-variety denial of service advisory that we have
been seeing for the last couple of years.

Part of this is due to the lack of grandstanding by Adam and
Chris. Because of their professional backgrounds, I am sure that they are fully
aware of how easily these vulnerabilities could be exploited to bring down
electrical (or gas, or water, or whatever SCADA controlled distribution system
is using DNP3 based devices) transmission systems. Instead of yelling from the
mountain top, they have calmly gone through the coordinated disclosure process
and worked with ICS-CERT and the vendors to get patches developed for these
systems.

BTW: Have I
mentioned lately that there are still 15
Crain-Sistrunk vulnerabilities that have yet to see the light of day? They
are still wending their way through the disclosure process, and some of them may
do for Modbus what has already been done for DNP3.

So it has taken public discussions by other members of the
control system community to get ICS-CERT to react to the real scale of the
potential problem. Unfortunately, while ICS-CERT has stepped up to the plate,
they waited until the pitched ball was in the catcher’s mitt to feebly wuff the
bat vaguely over the plate. This is real surprising from an organization that
annually exaggerates the number of attacks on control systems (equating IT
attacks on corporate networks as attacks on control systems owned by those
companies).

It would have been nice if this advisory had even mentioned
that the lax physical security at remote transmission sites would make it easy
for an attacker to gain access to the whole SCADA network or shut down key
nodes of that network. Then maybe readers of the advisory would begin to see
the scale of this vulnerability and why it really did justify a summary
advisory that ICS-CERT pretended to issue today.

Looking at the last two advisories to come out of ICS-CERT
it is clear that, while ICS-CERT understands the microcosmic aspects of control
system security, they either fail to grasp or just plain ignore the macrocosmic
scope of control system security problems. Somebody needs to readjust their
focus and it won’t be a former DOD lawyer and political crony of the President.

About Me

I spent 15 years in the US Army as an Infantry NCO. After getting out of the Army I started working in the chemical industry, getting my BSc Chemistry degree while working as a technician. I spent 12 years working as a process chemist in a specialty chemical company. Most recently I worked as a QA/R&D Manager in a specialty chemical manufacturing facility. Currently I am working as a freelance writer.